In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Thursday, June 17, 2010

Lottery Winning Notifications, Western Union payment notifications, dead relatives, advance fee schemes impersonating law enforcement agencies - their arsenal of themes is endless, their IPs, however, aren't, taking into consideration the fact that the majority of 419 scams are not sent using botnets, but manually, and in a targeted fashion.

Nothing hurts as much as a decent historical OSINT regarding the activities of any cybercriminal. Moreover, this historical OSINT not only contributes to a more efficient case building, but also, helps to establish some pretty interesting connections within the cybercrime ecosystem. As practice and experience has shown, this very same ecosystem is not necessarily as big as originally assumed.

This isn't the first time Twitter's been abused for malicious purposes, and is definitely not the last. Quick community response and take down actions hit them where it hurts most - the monetization vector.

Tuesday, June 15, 2010

A spamvertised through Facebook personal messages, Photo Album themed campaign, with the domain IP responding to ZeuS C&Cs, combined with an indirect connection between this campaign and the "100,000+ Scareware Serving Fake YouTube Pages Campaign", followed by a domain portfolio used in a currently active mass SQL injection attack serving CVE-2007-5659 exploits, parked within the same AS as the Facebook's campaign itself.

Based on the campaign's structure, it's pretty clear that the template-ization of malware serving sites (Part Two) is not dead. Let's dissect the campaign, it's structure, the monetization/traffic optimization tactics used, list all the domains+URLs involved, and establish multiple connections (in the face of AS6851, BKCNET "SIA" IZZI) to recent malware campaigns -- cybercriminals are often customers of the same cybercrime-friendly provider.

The campaign is relying on a typical mix of compromised and purely malicious sites, but is using not just an identical template, but identical campaign structure, which remains pretty static for the time being. Upon visiting one of the sites and meeting the referrer requirement -- Google works fine -- the hardcoded preload.php loads, which is always pointing to the same IP, using a randomly generated code, which changes over time - 91.188.60.126/?q=jzhaf - AS6851, BKCNET "SIA" IZZI

Moreover, the second traffic optimization strategy takes place by loading two different subdomains from byethost4.com, where another redirection takes place, this time loading the bogus mybookface.net - 209.51.195.115 - Email: hostorgadmin@googlemail.com

Based on cross-checking across different data sets, 91.188.60.126 - AS6851, BKCNET "SIA" IZZI is also known to have been used by at least 4 other members of the affiliate network. Naturally, their "signature" can be seen across multiple ASs as well.

As for AS6851, BKCNET "SIA" IZZI, the same AS is also seen in the following campaigns, find below an excerpt from a previous post, emphasizing on the Koobface gang connection, in the sense that they're both customers of the same cybecrime-friendly ISP.

What's so special about AS6851, BKCNET "SIA" IZZI anyway? It's the Koobface gang connection in the face of urodinam.net, which is also hosted within AS6851, currently responding to 91.188.59.10. More details on urodinam.net:

Moreover, on the exact same IP where Koobface gang's urodinam.net is parked, we also have the currently active 1zabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com, serving client side exploits using the Yes Malware Exploitation kit - 91.188.59.10 /temp/cache/PDF.php; admin panel at: 1zabslwvn538n4i5tcjl.com /temp/admin/index.php

The cybercriminals behind it, never really stopped feeding new domains, including compromised ones, naturally diversifying the set of topics in order to serve scareware. Now that enough data is gathered, naturally exposing connections within the cybercrime ecosystem which would be communicated using the "perfect timing, perfect channel" philosophy, it's time to dissect the online campaign, expose the entire portfolio of domains involved, and, of course, take it down.

What particularly interesting about this gang, is their clear understanding of QA (quality assurance) for the sake of increase OPSEC (operational security). Just like the previous campaigns, each individual domain involved in the campaign is registered using a separate email, in the majority of cases it's an automatically registered one. With or without the QA, there's no escape from the monetization vector - in this case, and like many other - scareware.

It's always worth monitoring the developments in the commercial mobile spying apps space. In particular, the inevitable customerization/customization of their services.

A shady vendor of such applications, is attempting to migrate from the mass market model of competing vendors, by offering its potential customers to ability to generate their own .sis files, for the spying app targeting Symbian 0S 9 platform. The DIY features also include the ability to self sign their own certificates. The price tag? A hefty price tag of £3000, and no refunds offered.

What's their true motivation behind the release of the DIY generation tool? It appears that they are primarily interested with scaling their business operations, allowing potential resellers the option to automatically generate the spying apps. Although the self-signing certificate option is interesting, mobile malware authors continue abusing Symbian Foundation's certificate signing process, surprisingly, by using bogus company names with no public reference of their existence.

Thanks to the improving monetization models for mobile malware (e.g. calling/SMSing premium rate numbers), mobile malware authors are only starting to realize/abuse the potential of the micro payments market segment.

About Me

Cyber Threat Intelligence, Cyber Counter Threat Intelligence, CYBERINT, OSINT and Competitive Intelligence research on demand.
Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day.